QEMU Guest Agent 2.12.50 and earlier has an integer overflow causing a g_malloc0() call to trigger a segfault() call when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a specific QMP command to the agent via the listening socket.
The vulnerability exists in the phpMyAdmin version 4.8.1, which allows an attacker to bypass the white list detection and include arbitrary files from the local system. The vulnerability is due to the lack of proper validation of the 'target' parameter in the '/index.php' file. An attacker can use the '%253f' twice URL encoded payload to bypass the validation and include arbitrary files from the local system.
A vulnerability in GreenCMS 2.3.0603 allows an unauthenticated attacker to remotely obtain sensitive information. By sending a specially crafted request to the vulnerable server, an attacker can access the log file which contains sensitive information such as usernames and passwords.
A CSRF vulnerability exists in LFCMS_3.7.0, which allows users to be added arbitrarily. The payload for attack is an HTML form with hidden inputs containing the username, email, password, and repassword of the user to be added.
This exploit is based on CVE-2017-5151 targeting versions prior. The txtUserName and possibly txtPassword field contain an unauthenticated SQL injection vulnerability that can be used for remote code execution. From the web login page submit the following string as the username with anything in the password field. The web server will hang for 5 seconds: UyYr');WAITFOR DELAY '00:00:05'--. From the web login page submit each of the following strings as the username, one at a time, with anything in the password field (with the ping, use a valid IP address that you can monitor): UyYr');EXEC sp_configure 'show advanced options', 1;RECONFIGURE;--, UyYr');EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--, UyYr');EXEC xp_cmdshell 'ping xxx.xxx.xxx.xxx';--
Orchid Core VMS is vulnerable to a directory traversal attack. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.
The activator for Desktop Bridge applications calls CreateAppContainerToken while running as a privileged account leading to creation of arbitrary object directories leading to EoP. As much of the activation of Desktop Bridge applications require TCB privilege (such as creating the container) it’s delegated to the AppInfo service which runs as Local System. During post activation, either through RAiLaunchProcessWithIdentity or RAiFinishPackageActivation the API PostCreateProcessDesktopAppXActivation is called in daxexec which sets up various things. One of those things is registering the process with the Process State Manager service and to do that it passes an AppContainer token for the AppX package. To create the token the service will call the API CreateAppContainerToken, however it doesn’t impersonate the user while doing this which results in the service setting up the AppContainer object directories as the process user. By placing symbolic links into these locations arbitrary object directories can be created, as long as the parent directory can be written by Local System. The created directories are also given an explicit DACL which grants the user access so that they can also be written to by the original user once created. On Windows 8.1 this would be trivial to exploit as NtCreateLowBoxToken didn’t care what handles you passed it for capture, however since CVE-2015-2554 (which I reported) the system call checks that the directories are under the AppContainerNamedObjects directory for the user. They’re still created but once NtCreateLowBoxToken is called they’ll be closed again. However due to the way kernel objects persist it just becomes a race condition, as long as you open the directory you want before all handles are closed then you can keep it alive to do what you need to do with i.e. create a token.
A vulnerability in Apache CouchDB allowed an attacker to execute arbitrary shell commands on the server. This vulnerability was caused by the lack of input validation in the configuration API. An attacker could send a specially crafted request to the configuration API and execute arbitrary shell commands on the server. This vulnerability affected versions <= 1.7.0 and 2.x - 2.1.0.
This exploit allows an attacker to execute arbitrary commands on the TP-Link Technologies TL-WA850RE Wi-Fi Range Extender. The exploit is achieved by sending a specially crafted HTTP request to the device, which contains a command injection payload. The payload is then executed by the device.
NewMark CMS 2.1 is vulnerable to SQL Injection in the 'sec_id' parameter. An attacker can exploit this vulnerability by sending malicious payloads to the vulnerable parameter. The payloads can be of different types such as boolean-based blind, error-based, AND/OR time-based blind, and UNION query. These payloads can be used to extract sensitive information from the database.
Services By CQR